CVE-2021-46360
published 2022-02-09CVE-2021-46360: Authenticated remote code execution (RCE) in Composr-CMS 10.0.39 and earlier allows remote attackers to execute arbitrary code via uploading a PHP shell…
PriorityP266high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EXPLOIT
EPSS
9.18%
94.7th percentile
Authenticated remote code execution (RCE) in Composr-CMS 10.0.39 and earlier allows remote attackers to execute arbitrary code via uploading a PHP shell through /adminzone/index.php?page=admin-commandr.
Affected
1 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| ocproducts | composr | <= 10.0.39 | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Detect POST requests to /data/commandr.php containing '_data=command=' in the body, indicating abuse of the Commandr file manager to execute OS commands. ↗
- →Alert on POST requests to /data/commandr.php with body containing 'command=rm .htaccess', which is the first stage of the exploit to remove upload protection. ↗
- →Monitor for GET requests to /uploads/filedump/*.php — a PHP file uploaded to this path indicates successful webshell placement via the file/media library. ↗
- →Detect the presence of the 'commandr_dir' cookie with a base64-decoded value pointing to /raw/uploads/filedump/ in requests to the admin zone, indicating attacker session setup. ↗
- →Spawned shell process running as uid=1 (daemon) from a web server context is a strong post-exploitation indicator for this CVE. ↗
- ·Session-related values (PHPSESSID, cms_session, keep_session, csrf_token) are dynamic and will differ per exploitation attempt; do not use the sample values as static IOCs. ↗
- ·The exploit requires prior authentication; detections should account for an authenticated session before the malicious POST to commandr.php occurs. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No writeups or analysis indexed.
http://packetstormsecurity.com/files/171489/Composr-CMS-10.0.39-Remote-Code-Execution.htmlhttps://github.com/sartlabs/0days/blob/main/Composr-CMS/Exploit.pyhttp://packetstormsecurity.com/files/171489/Composr-CMS-10.0.39-Remote-Code-Execution.htmlhttps://github.com/sartlabs/0days/blob/main/Composr-CMS/Exploit.py
2022-02-09
Published